Event: Trend Micro: CloudSec Europe 2019 Europe Event Type: Conference Organiser: Trend Micro (https://www.trendmicro.com) Date: Friday 13th September 2019 Location: The Old Billingsgate, London (http://www.oldbillingsgate.co.uk/)
Hosted in the iconic Old Billingsgate building in Central London for Cyber Security professionals throughout Europe to attend, this was certainly an event you wouldn’t want to miss. Throw into the mix the the fact that the Digital industry is heading full speed into the cloud infrastructure and this event becomes even more prestigious to those concerned about cloud security.
Guest speakers included (but was not limited to):
- Alexandru Caciuloiu (CyberCrime and Cryptocurrency department at the United Nations)
- Charlie McMurdie (Former head of the Police National Cyber Crime Unit)
- Steven Bryen (Amazon Web Services)
- Theresa Payton (Cyber Security CEO and Former White House CIO)
- Variety of Trend Micro staff
With informational presentations from professionals deeply involved in the Cyber Security industry this event was certainly very interesting, insightful and definitely eye-opening. A common theme that was echoed by these professionals was the reality that breach is inevitable and it is important to concentrate on preparing damage limitation before a breach occurs.
This conference was packed with so much useful information I could write an extremely long article about it all, but the reality is that would likely discourage people from even attempting to read this page so if you’ve already made it this far then stick with me and I’ll try to summarise some of the key points as best as I can for you.
Key Points
With presentations by so many knowledgeable professionals there were several key points made. In the tradition of keeping these articles a reasonable length I will only cover the main points, which include:
- The possibility of Autonomous Weaponry
- The rise of DeepFake Ransomware
- IPv6 and 5G increasing the attack vector
- Companies predicting your future
- The requirement to invest in current staff
Autonomous Weaponry
Well that’s a scary thought, artificial intelligence controlled killing machines. With the rise of artificial intelligence it was only a matter of time before somebody wanted to start developing AI weaponry that would literally mean chunks of code flying around deciding whether or not to kill somebody. Currently, drones are used in war but these are controlled by a human who makes the calculated decision on whether or not to discharge the weapon, but can you really feel safe with the drone itself making the decision?
The United Nations are planning to prevent the development of the automated weaponry but considering how hard it is to control nuclear weapons can the development of automated weaponry really be prevented?
I’ll let you make your own decision on the ethics of this.
DeepFake Ransomware
Not quite as scary as killer robots but not far off, DeepFake Ransomware is becoming a more dangerous tool in a hacker’s arsenal. We have all heard of ransomware where a malicious hacker encrypts your data and demands you pay a ransom to get the decryption key so you can recover your information. Well DeepFake Ransomware is the bigger, bolder and boisterous brother of traditional Ransomware.
Using just a few genuine photos of somebody, fake but lifelike videos can be made of the individual by somebody with malicious intent who can then blackmail the compromised person into paying a ransom to prevent the fake video being distributed. For those of you thinking well surely it’s obvious the video is fake, well wait until you see a DeepFake video to see just how real it appears. Whilst the target audience of ransomware is generally anybody who has money, whether an individual or a company, DeepFake Ransomware thrives on being more selective. The key candidates to fall victim to DeepFake Ransomware include teenagers and successful/powerful individuals such as politicians. Now the cogs in your head are spinning whilst you are thinking “I can understand politicians, but why teenagers”?
To understand the target audience, you first need to understand why DeepFake Ransomware will be successful. As the videos can be of exceptional quality, (the more pictures the hacker has the better quality the video can be) it can be hard for the compromised individual to convince viewers of the video it is not really them. After all, the camera never lies. Right?
Now consider a teenager, consider how impressionable and emotional they are. A compromising video of them even though it’s fake can make them feel so fragile especially when people they know start to believe it’s real. Therefore, teenagers are more likely to get the money and pay the ransom in hope the video never gets distributed. Just think about how many pictures these teenagers post all over the internet. Now you understand how easy it will be for a realistic DeepFake Ransomware video to be created of a teenager.
Politicians are also key targets because their career depends on their reputation and a cleverly manipulated video can destroy a politician’s reputation long before they can prove the video is fake. I’m sure I don’t have to comment on the impact a false message from an influential person in a fake video can have either.
So all this talk of Ransomware begs the question should you pay the ransom? Well, law authorities advise against it, if you pay the ransom there is no guarantee the malicious person will still obey your wish and either destroy their fake video or provide you with a decryption key, after all they hardly seem like a genuinely decent person if they blackmailed you in the first place do they? Also if people do pay the ransoms then it encourages these malicious people to keep developing ransomware, if they never got paid and never made any money the idea of developing Ransomware becomes less attractive to them. Of course though, the final decision is down to you and whether you think it’s worth the risk or not paying the ransom.
IPv6 and 5G
With the introduction of IPv6 and 5G our connected world capabilities has increased significantly, the only problem is so has the hacker’s. Since the implementation of IPv6 we can now have even more devices connected to the internet. With IPv6 so many more devices can connect to the internet (Internet of Things devices) as there are 4,294,967,296 IPv4 addresses but there are 340,282,366,920,938,463,463,374,607,431,768,211,456 IPv6 addresses. Combine this with the 5G technology that delivers much faster internet speeds covering a growing area and the possibilities of the connected technology world is unimaginable. Almost every device can become a “smart device” from the street light outside your house to the kettle in your kitchen.
This connected world sounds great but it is also very inviting to hackers. But how? What could a hacker possibly want with my kettle, are they going to make me a cup of a tea? Well many people don’t even keep their computers updated so how many people will keep the software on their kettles updated? If these smart devices such as smart kettles are not maintained they become an easy entry point onto your home network for a hacker. A hacker can then manoeuvre around your network from your kettle onto a more appealing device such as your laptop, they could then enable your webcam without your realising and begin spying on you.
Like the rest of this article, I’m not writing all of this to scare you. I’m informing you so you can be prepared and begin to think about the bigger picture. I’m not saying you shouldn’t buy or use these devices, I’m simply saying before you do use them really understand the risks and make sure you mitigate them.
As an example you could mitigate the risks of a smart IoT device such as a kettle by making sure you keep the software updated and segregate your home network so even if a hacker gets into your kettle they are limited on where they can move around on your network and can only move to devices within that section of your network. After all your kettle doesn’t need to be accessible from your laptop. Of course in this case a kettle is just an example, the same applies for all Internet of Things devices.
The future is now
It’s an uneasy feeling when you realise just how much companies known about you. Take Google for example they know where you have been, how long you have been there, how much you have spent in that location and who you was with. It’s almost like having a stalker but one you have signed up for and willingly take around with you. Now imagine these companies predicting your future, knowing what you will do before you do it, knowing what you want before you realise you want it. This is the route we are heading down. Companies are using AI to analyse the information they have on you to learn your habits, learn your routine and therefore start predicting what you are going to be doing.
These companies also compare your traits with other people that have collected information on and use the collected information to start predicting what you will do. For example, they may notice you have similar purchasing traits to some other individuals, buying similar items so they can look at items these other individuals have purchased that you haven’t yet and start making recommendation to you, encouraging you to make these purchases.
Investment in staff
A common theme echoed throughout the event was the requirement to invest in upskilling current staff. With emerging technology there are emerging threats and it is therefore crucial employers invest in their current staff and enhancing their capabilities in improving the Cyber Security of the organisation.
Hackers are becoming increasingly aware of the new technology and are constantly working on ways to exploit it. If companies are not investing in their security professionals so they can fully understand the risks that are introduced by the new technology then they are leaving themselves vulnerable and inviting hackers to exploit them.
Conclusion
As technology continues to advance and become more sophisticated so does hacking. It’s great to have all these new gadgets and the arrival of self-driving cars sounds incredibly exciting but it is critical we understand the risks of the latest and greatest technology and do all we can to mitigate them.